Updated on 2024-07-30 GMT+08:00

Modifying an OpenID Connect Identity Provider

Function

This API is provided for the administrator to modify an OpenID Connect identity provider.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

Debugging

You can debug this API in API Explorer.

URI

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

Table 1 URI parameters

Parameter

Mandatory

Type

Description

idp_id

Yes

String

Identity provider ID.

Length: 1 to 64 characters.

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Fill application/json;charset=utf8 in this field.

X-Auth-Token

Yes

String

Access token issued to a user to bear its identity and permissions.

For details about the permissions required by the token, see Actions.

Table 3 Parameter in the request body

Parameter

Mandatory

Type

Description

openid_connect_config

Yes

object

OpenID Connect configurations.

Table 4 openid_connect_config

Parameter

Mandatory

Type

Description

access_mode

No

String

Access type. Options:

  • program_console: programmatic access and management console access.
  • program: programmatic access only.

idp_url

No

String

URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token.

Length: 10 to 255 characters.

client_id

No

String

ID of a client registered with the OpenID Connect identity provider.

Length: 5 to 255 characters.

authorization_endpoint

No

String

Authorization endpoint of the OpenID Connect identity provider.

This field is required only if the access type is set to programmatic access and management console access.

Length: 10 to 255 characters.

scope

No

String

Scopes of authorization requests.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated values:

  • openid
  • email
  • profile
    NOTE:
    • openid must be specified for this field.
    • Specify 1 to 10 values, and separate them with spaces.

    Example: openid, openid email, openid profile, and openid email profile.

response_type

No

String

Response type.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated value:

  • id_token

response_mode

No

String

Response mode.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated values:

  • fragment
  • form_post

signing_key

No

String

Public key used to sign the ID token of the OpenID Connect identity provider.

Length: 10 to 30,000 characters.

Format example:

{
  "keys":[
     {
        "kid":"d05ef20c4512645vv1..." ,
        "n":"cws_cnjiwsbvweolwn_-vnl...",
        "e":"AQAB",
        "kty":"RSA",
        "use":"sig",
        "alg":"RS256"
      }
   ]
} 

Response Parameters

Status code: 200

Table 5 Parameters in the response body

Parameter

Type

Description

openid_connect_config

object

OpenID Connect configurations.

Table 6 OpenIDConnectConfig

Parameter

Type

Description

access_mode

String

Access type. Options:

  • program_console: programmatic access and management console access.
  • program: programmatic access only.

idp_url

String

URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token.

client_id

String

ID of a client registered with the OpenID Connect identity provider.

authorization_endpoint

String

Authorization endpoint of the OpenID Connect identity provider.

This field is required only if the access type is set to programmatic access and management console access.

scope

String

Scopes of authorization requests.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated values:

  • openid
  • email
  • profile
    NOTE:
    • openid must be specified for this field.
    • Specify 1 to 10 values, and separate them with spaces.

    Example: openid, openid email, openid profile, and openid email profile.

response_type

String

Response type.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated value:

  • id_token

response_mode

String

Response mode.

This field is required only if the access type is set to programmatic access and management console access.

Enumerated values:

  • fragment
  • form_post

signing_key

String

Public key used to sign the ID token of the OpenID Connect identity provider.

Example Request

  • Modifying an identity provider that supports programmatic access
    PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config 
      
     { 
       "openid_connect_config" : { 
         "access_mode" : "program", 
         "idp_url" : "https://accounts.example.com", 
         "client_id" : "client_id_example", 
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" 
       } 
     }
  • Modifying an identity provider that supports programmatic access and management console access
    PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config 
      
     { 
       "openid_connect_config" : { 
         "access_mode" : "program_console", 
         "idp_url" : "https://accounts.example.com", 
         "client_id" : "client_id_example", 
         "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth", 
         "scope" : "openid", 
         "response_type" : "id_token", 
         "response_mode" : "form_post", 
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" 
       } 
     }

Example Response

Status code: 200

The request is successful.
{ 
  "openid_connect_config" : { 
    "access_mode" : "program_console", 
    "idp_url" : "https://accounts.example.com", 
    "client_id" : "client_id_example", 
    "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth", 
    "scope" : "openid", 
    "response_type" : "id_token", 
    "response_mode" : "form_post", 
    "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" 
  } 
}

Status Codes

Status Code

Description

200

The request is successful.

400

Invalid parameters.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

500

Internal server error.

Error Codes

For details, see Error Codes.